- Topic1/3
33k Popularity
36k Popularity
35k Popularity
55k Popularity
21k Popularity
- Pin
- 📢 Gate Square #Creator Campaign Phase 2# is officially live!
Join the ZKWASM event series, share your insights, and win a share of 4,000 $ZKWASM!
As a pioneer in zk-based public chains, ZKWASM is now being prominently promoted on the Gate platform!
Three major campaigns are launching simultaneously: Launchpool subscription, CandyDrop airdrop, and Alpha exclusive trading — don’t miss out!
🎨 Campaign 1: Post on Gate Square and win content rewards
📅 Time: July 25, 22:00 – July 29, 22:00 (UTC+8)
📌 How to participate:
Post original content (at least 100 words) on Gate Square related to
- 📢 Gate Square #MBG Posting Challenge# is Live— Post for MBG Rewards!
Want a share of 1,000 MBG? Get involved now—show your insights and real participation to become an MBG promoter!
💰 20 top posts will each win 50 MBG!
How to Participate:
1️⃣ Research the MBG project
Share your in-depth views on MBG’s fundamentals, community governance, development goals, and tokenomics, etc.
2️⃣ Join and share your real experience
Take part in MBG activities (CandyDrop, Launchpool, or spot trading), and post your screenshots, earnings, or step-by-step tutorials. Content can include profits, beginner-friendl
- 🎉 Gate Square’s "Spark Program" Surpasses 1,000 KOLs!
💥 The creator ecosystem is in full bloom!
📈 Get featured, earn rewards, and grow your influence—what are you waiting for?
💰 Cash incentives ✔️
🚀 Traffic support ✔️
👑 Exclusive verification ✔️
From 0 to 1,000 in just weeks—Gate Square is becoming the epicenter of Web3 content! ⚡
You’re not just posting content, but the next "viral opportunity"!
🌟 Join the Spark Program and kickstart your breakthrough!
👉 https://www.gate.com/announcements/article/45695
Windows system 0-day vulnerabilities raise Web3 security concerns Experts analyze the exploitation process
Analysis and Exploitation of Microsoft Windows System 0day Vulnerabilities
Recently, a security patch released by Microsoft includes a win32k privilege escalation vulnerability that is currently being exploited. This vulnerability mainly exists in earlier versions of Windows systems and cannot be triggered on Windows 11. This article will analyze how attackers continue to exploit such vulnerabilities in the context of increasingly strengthened security defenses. Our analysis was conducted in a Windows Server 2016 environment.
Vulnerability Background
0day vulnerabilities refer to security flaws that have not yet been disclosed or patched, similar to the T+0 trading concept in financial markets. Once such vulnerabilities are discovered, they may be exploited maliciously without detection, causing significant damage.
The recently discovered Windows system 0-day vulnerability allows attackers to gain complete control over the system. This may lead to severe consequences such as personal information leakage, system crashes, data loss, and financial losses. From a Web3 perspective, users' private keys may be stolen, and digital assets may be transferred. On a broader scale, this vulnerability could affect the entire Web3 ecosystem that operates on Web2 infrastructure.
Vulnerability Analysis
By analyzing the patch code, we found that this is an object reference counting error issue. Comments in the earlier win32k code indicate that only the window object was locked, and the menu object within the window was not locked, which could lead to the menu object being incorrectly referenced.
Further analysis reveals that in the xxxEnableMenuItem function, the returned menu object could be the main window menu, a submenu, or even a deeper level menu. This provides an idea for constructing a POC.
POC Implementation
We have constructed a special multi-layer menu structure that includes four menu objects with specific relationships. By carefully setting the properties and relationships of these menus, we can bypass the detection of the xxxEnableMenuItem function and release the critical menu objects when the function returns. This will trigger a UAF vulnerability when the object is referenced subsequently.
Exploiting Vulnerability ( EXP )
Overall Idea
We considered two types of exploitation: executing shellcode and using read/write primitives to modify the token. We ultimately chose the latter because it is more feasible on higher versions of Windows. We divided the entire exploitation process into two steps: how to control the cbwndextra value through UAF, and how to achieve stable read/write primitives using the controlled cbwndextra.
initial data write
We use the name object of the window class WNDClass to occupy the memory of released menu objects. By analyzing various possible write points, we ultimately chose to write the cb-extra value of HWNDClass using the AND operation of the object flag in the xxxRedrawWindow function.
Memory Layout
We designed a memory layout consisting of three consecutive HWND objects, with the middle object being freed and occupied by the HWNDClass object. The HWND objects at the front and back are used to bypass detection and implement the final read and write primitives. By leaking the kernel handle addresses, we can precisely control the arrangement of these objects.
Read-Write Primitive Implementation
Any read operation uses the GetMenuBarInfo function, while any write operation uses the SetClassLongPtr function. Except for the writing of TOKEN, which depends on the class object of the second window, other write operations utilize the class object of the first window object through offsets.
Summary
Microsoft is attempting to refactor the win32k code using Rust, and such vulnerabilities may be completely resolved in the new system in the future.
The exploitation process of this type of vulnerability is relatively simple, with the main difficulty being how to control the first data write.
The discovery of vulnerabilities may benefit from more advanced code coverage detection techniques.
For vulnerability detection, in addition to focusing on the key points of the triggering functions, it is also necessary to detect abnormal memory layouts and data read/write operations.